In this article

Configure exclusions for files opened by processes

In this article

You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.

This topic describes how to configure exclusion lists for the following:

Exclusion

Example

Any file on the machine that is opened by any process with a specific file name

Specifying "test.exe" would exclude files opened by:

c:\sample\test.exe

d:\internal\files\test.exe

Any file on the machine that is opened by any process under a specific folder

Specifying "c:\test\sample\*" would exclude files opened by:

c:\test\sample\test.exe

c:\test\sample\test2.exe

c:\test\sample\utility.exe

Any file on the machine that is opened by a specific process in a specific folder

Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe

When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.

By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.

Enter each process on its own line under the Value name column. See the example table for the different types of process exclusions. Enter 0 in the Value column for all processes.

Click OK.

Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:

Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.

The format for the cmdlets is:

<cmdlet> -ExclusionProcess "<item>"

The following are allowed as the <cmdlet>:

Configuration action

PowerShell cmdlet

Create or overwrite the list

Set-MpPreference

Add to the list

Add-MpPreference

Remove items from the list

Remove-MpPreference

Important

If you have created a list, either with Set-MpPreference or Add-MpPreference, using the Set-MpPreference cmdlet again will overwrite the existing list.

For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:

Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:

Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists.

In particular, you cannot use the question mark ? wildcard, and the asterisk * wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.

The following table describes how the wildcards can be used in the process exclusion list:

Wildcard

Use

Example use

Example matches

* (asterisk)

Replaces any number of characters

C:\MyData\*

Any file opened by C:\MyData\file.exe

? (question mark)

Not available

-

-

Environment variables

The defined variable will be populated as a path when the exclusion is evaluated